Learn more about these different git repos.
Other Git URLs
Hi,
When running sssctl config-check, I get this error message:
sssctl config-check
[rule/allowed_domain_options]: Attribute 'selinux_provider' is not allowed in section 'domain/XXXXX'. Check for typos.
I do have selinux_provider = none in the domain section and the man page for sssd.conf says it's ok to use.
selinux_provider = none
The version of sssd in question is 1.14.0. So who's right: man page or sssctl?
The reason for using selinux_provider = none in general is that I'm trying to prevent sssd from blocking logins when the root partition is full. When that happens, sssd tries to create a temp dir under /etc to process selinux stuff and once that fails, authentication fails.
/etc
mkdir("/etc/selinux/targeted/tmp", 0700) = -1 ENOSPC (No space left on device)
Settings selinux to none does seem to take care of this problem but in the case of 1.14.0 that seems a problem.
Btw, can you advise of other critical locations on the root filesystem that could prevent authentication if it's full? Anything I could do?
Looks like the config validation is based on /usr/share/sssd/cfg_rules.ini, which indeed doesn't list selinux_provider on that system. But the github 1-14 branch does.
/usr/share/sssd/cfg_rules.ini
selinux_provider
This was fixed in dec0019
The selinux_provider is of course a valid option, it was just missing from the schema.
Metadata Update from @jhrozek: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
The only other place that cricitally needs to be writable is the sssd cache, e.g. /var/lib/sss/db.
It might be a good idea to have a separate partition for /var/lib/sss in general.
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4786
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.